https://community.splunk.com/t5/Getting-Data-In/Indexing-xml-log-file-input/m-p/54296#M10488 <P>I have a log file wherea typical line entry is as below ... I am trying to construct REGEX to be included in the "transforms.conf" file on indexer to break the line into fields such as "NS" , "subproduct", "command" , "result" ,"time" I.E by XML tags .Any help is appreciated </P> <P>20110803 000000| <RTTLOG><ID>427</ID><NS>urn:ietf:params:xml:ns:domain-1.0</NS><SUBPRODUCT>dotTV</SUBPRODUCT><COMMAND>check</COMMAND><RESULT>1000</RESULT><TIME>7</TIME></RTTLOG></P> Fri, 05 Aug 2011 15:49:16 GMT desi-indian 2011-08-05T15:49:16Z https://community.splunk.com/t5/Getting-Data-In/Indexing-xml-log-file-input/m-p/54296#M10488 <P>I have a log file wherea typical line entry is as below ... I am trying to construct REGEX to be included in the "transforms.conf" file on indexer to break the line into fields such as "NS" , "subproduct", "command" , "result" ,"time" I.E by XML tags .Any help is appreciated </P> <P>20110803 000000| <RTTLOG><ID>427</ID><NS>urn:ietf:params:xml:ns:domain-1.0</NS><SUBPRODUCT>dotTV</SUBPRODUCT><COMMAND>check</COMMAND><RESULT>1000</RESULT><TIME>7</TIME></RTTLOG></P> Fri, 05 Aug 2011 15:49:16 GMT https://community.splunk.com/t5/Getting-Data-In/Indexing-xml-log-file-input/m-p/54296#M10488 desi-indian 2011-08-05T15:49:16Z https://community.splunk.com/t5/Getting-Data-In/Indexing-xml-log-file-input/m-p/54297#M10489 <P>This should work:</P> <P>transforms.conf</P> <PRE><CODE>[simple-xml-tags] REGEX = &lt;(\w+)&gt;([^&lt;]+)&lt;/ FORMAT = $1::$2 </CODE></PRE> <P>props.conf</P> <PRE><CODE>[my_sourcetype] REPORT-xml-tags = simple-xml-tags </CODE></PRE> Fri, 05 Aug 2011 15:58:13 GMT https://community.splunk.com/t5/Getting-Data-In/Indexing-xml-log-file-input/m-p/54297#M10489 ziegfried 2011-08-05T15:58:13Z https://community.splunk.com/t5/Getting-Data-In/Indexing-xml-log-file-input/m-p/54298#M10490 <P>I tried this and still not able to get the data extracted ..Here are mt props.conf and transforms.conf entries</P> <P>Props.conf</P> <P>[source::...tcpig.\d+.\sla.\$]</P> <P>sourcetype = ig_sla</P> <P>[ig_sla]</P> <P>TIME_FORMAT = %Y%m%d %H%M%S</P> <P>TZ = US/Eastern</P> <P>MAX_EVENTS=1</P> <P>SHOULD_LINEMERGE = false</P> <P>LINE_BREAKER = &gt;\s*(?=&lt;rttlog&gt;)</P> <P>REPORT-xmlext = xml-extr</P> <P>transforms.conf</P> <P>[xml-extr]</P> <P>REGEX = &lt;(\w+)&gt;([^&lt;]+)&lt;/</P> <P>FORMAT = reg_id::"$1" NS::"$2" sub_product::"$3" command::"$4" response_code::"$5"<BR /> response_time::"$6"</P> Mon, 28 Sep 2020 09:47:03 GMT https://community.splunk.com/t5/Getting-Data-In/Indexing-xml-log-file-input/m-p/54298#M10490 desi-indian 2020-09-28T09:47:03Z https://community.splunk.com/t5/Getting-Data-In/Indexing-xml-log-file-input/m-p/54299#M10491 <P>Can you make sure that the sourcetype is actually applied to those events? There is a bug on splunkbase, that doubles the backslashes . There should only be one in the REGEX stanza...</P> Mon, 08 Aug 2011 12:08:30 GMT https://community.splunk.com/t5/Getting-Data-In/Indexing-xml-log-file-input/m-p/54299#M10491 ziegfried 2011-08-08T12:08:30Z https://community.splunk.com/t5/Getting-Data-In/Indexing-xml-log-file-input/m-p/54300#M10492 <P>REGEX = &lt;(\w+)&gt;([^&lt;]+)&lt;/</P> Mon, 08 Aug 2011 12:08:49 GMT https://community.splunk.com/t5/Getting-Data-In/Indexing-xml-log-file-input/m-p/54300#M10492 ziegfried 2011-08-08T12:08:49Z